Firefox DoH and DoT?

[JT Strickland]

Shouldn't DNS over HTTP be disabled in firefox if one is using DNS over TLS?
I just had to disable it after an upgrade, I assume, turned it back on.
Is this the correct approach? Can they play together?
thanks,
jts

 

[doczenith1]

Search the Merlin forum. There is a thread dedicated to your question.

 

[dave14305]

If you enable browser-based DoH, your router’s DoT is bypassed completely.

 

[JT Strickland]

If you enable browser-based DoH, your router’s DoT is bypassed completely.

I remembered reading the thread, or part of it, or similar posts. It is difficult for me to grasp why they won't work together just because I don't understand the principles and how these things work, but I am trying to learn. I thought it should be disabled, so I did, and I wanted to be sure that I hadn't misread it. I / we will need to keep an eye on the firefox updates to see it it gets turned on again.
I appreciate the help.

 

[dave14305]

Normally (without DoH) your browser will ask your OS to resolve a hostname to IP. Your OS will send an old-fashioned DNS request to its assigned DNS server (which is usually your router). Your router’s DNS server (dnsmasq) will forward it to the stubby daemon also on the router, which can perform DNS-over-TLS. Stubby sends the now-encrypted DNS request to the DoT servers you configured in the DNS Privacy section of the WAN page. All is good.

When you use a browser’s DNS-over-HTTPS feature, the browser bypasses the OS DNS resolver completely and makes an encrypted HTTPS connection directly to the public DoH server configured in the browser. The OS and router are eliminated from the DNS transaction.

Both queries are encrypted over the Internet, but only the DoT query observes the network operator’s (your) wishes in terms of how DNS should work within your home network.

 

[JT Strickland]

Normally (without DoH) your browser will ask your OS to resolve a hostname to IP. Your OS will send an old-fashioned DNS request to its assigned DNS server (which is usually your router). Your router’s DNS server (dnsmasq) will forward it to the stubby daemon also on the router, which can perform DNS-over-TLS. Stubby sends the now-encrypted DNS request to the DoT servers you configured in the DNS Privacy section of the WAN page. All is good.

When you use a browser’s DNS-over-HTTPS feature, the browser bypasses the OS DNS resolver completely and makes an encrypted HTTPS connection directly to the public DoH server configured in the browser. The OS and router are eliminated from the DNS transaction.

Both queries are encrypted over the Internet, but only the DoT query observes the network operator’s (your) wishes in terms of how DNS should work within your home network.

Thank you sir, that helps. I'm trying to grasp it all, but it's a big bucket to tote. I didn't have a clue to the depth and complexity of just networking, but you guys have taught me a lot.
thanks again,
jts

RT-AC86U w/ 384.17, RT-AC68U Aimesh node w/ same, Diversion, UiDivstats, Skynet, AiProtection, DoT, Scribe, UiScribe, Conmon, SpdMerlin, ScMerlin, Nsrum, NtpMerlin, OpenVPN selective clients

 

[doczenith1]

Another way to look at it based on two different scenarios.

#1 You use Diversion on your router to block ads
Firefox DoH enabled: Firefox will bypass Diversion and therefore no router based ad blocking. DNS request are encrypted.
Firefox DoH disabled: Firefox will not bypass Diversion and use the router's DoT. DNS request are encrypted.

#2 You no not use Diversion on your router to block ads
Firefox DoH enabled: Firefox will use it's own encrypted DNS
Firefox DoH disabled: Firefox will use encrypted DNS provided by router

 

[bits]

Scenario #1
Your provider or government tracks what websites you visit via common methods such as server name indication and dns. You have privacy concerns and do not want that to occur.
Eg Many internet providers right now, who know your name & address, sell your website history(which includes all traffic in browser privacy modes) to marketing companies.

DoH encrypts dns and sni

DoT encrypts dns but leave sni in clear text and allow easy logging of all websites visited.


Scenario #2:
You want to ensure your dns responses have not been tampered with.

DoH offers encryption from the local user application level

DoT on router leaves several portions of the request unprotected and open for tamper.


Scenario #3:
You want encrypted dns(privacy and untampered) but your device connects to other networks

DoH offers encrypted dns in browser for any network your machine connects to.

DoT on your router does not offer your device encrypted dns when connected to other networks.


Scenario #4:
You want to have your device tracked and/or have tampered dns reponses(eg diversion)

DoH will prevent the tracking and tampering so is not suitable if that is what you want.

DoT will allow tracking and tampering of dns for the device.




Firefox is supposed to not automatically turn on DoH if certain criteria is met.
Modern Rmerlin firmware does have a setting to trigger Firefox's "do not automatically turn on DoH" system. If that was enabled it would be odd that Firefox automatically turned on DoH.

 

[JT Strickland]

Firefox is supposed to not automatically turn on DoH if certain criteria is met.
Modern Rmerlin firmware does have a setting to trigger Firefox's "do not automatically turn on DoH" system. If that was enabled it would be odd that Firefox automatically turned on DoH.

Yes, sir, I thought it was odd also. I had just installed a major update to 64 bit firefox 76.0 and the popup came up like before to disable DoH or not. There is the possibility it wasn't turned off before, but I thought I had at least went through the motions, and was counting on AsusWRT Merlin to take it out also because I thought it was addressed in the recent firmware. I'm not positive what happened.

I honestly don't know enough about this yet to change the way I've been doing it. I have read some of the arguments for both ways, and most of it is over may head.

I appreciate the help and suggestions from everyone.
jts

 

[JT Strickland]

I just checked my Firefox configuration and DoH was enabled. Again.
This is getting to be aggravating.
Is anyone else having this issue?
My "prevent auto client DoH" is set to auto. Should it be set to Yes maybe?

I am using Firefox 77.0.1 with automatic updates.

 

[bluzfanmr1]

I just checked my Firefox configuration and DoH was enabled. Again.
This is getting to be aggravating.
Is anyone else having this issue?

I am using Firefox 77.0.1 with automatic updates.

I noticed this was enabled on my wife's Macbook, where she has to use Firefox for work. I haven't had a chance to look into it but I thought the router had a setting that would ensure the browser wouldn't bypass the router DNS. I will try and figure out what is and isn't working.

 

[JT Strickland]

I noticed this was enabled on my wife's Macbook, where she has to use Firefox for work. I haven't had a chance to look into it but I thought the router had a setting that would ensure the browser wouldn't bypass the router DNS. I will try and figure out what is and isn't working.

Yes, sir, I have my DoT on with the profile set to "strict".
That was supposed to take care of it I thought.

 

[heysoundude]

I just checked my Firefox configuration and DoH was enabled. Again.
This is getting to be aggravating.
Is anyone else having this issue?
My "prevent auto client DoH" is set to auto. Should it be set to Yes maybe?

I am using Firefox 77.0.1 with automatic updates.

You're in the United States, I'm assuming - I believe that DoH switching on is automatic for users there. Your browser is autodetecting your location
You may have to dig into about:config (or is that backwards...I haven't used FF in quite some time) to change that.

There are other browsers that seem to be more privacy friendly - have you considered leaving FF for another?

 

[JT Strickland]

You're in the United States, I'm assuming - I believe that DoH switching on is automatic for users there. Your browser is autodetecting your location
You may have to dig into about:config (or is that backwards...I haven't used FF in quite some time) to change that.

There are other browsers that seem to be more privacy friendly - have you considered leaving FF for another?

Yes, sir, but old habits die hard. I've probably been using firefox for over thirty years, or since I started using computers. I've got 30 years of bookmarks too.

 

[heysoundude]

Yes, sir, but old habits die hard. I've probably been using firefox for over thirty years, or since I started using computers.

It’s never too late to learn some new tricks.
I use Brave, both mobile and desktop, and it works pretty darned nicely. When FF stopped working on my pre-intel Macs, I went with TenFourFox. Then I switched to *ubuntu on an Intel (non Mac) machine that comes with FF, but that’s when I became interested in/aware of online privacy, and I happened to stumble across Brave. It works very well in conjunction with Merlin etc. And it’s easier than ever to install and configure. You should give it a test drive to see how it feel for you


Sent from my iPhone using Tapatalk

 

[JT Strickland]

It’s never too late to learn some new tricks.
I use Brave, both mobile and desktop, and it works pretty darned nicely. When FF stopped working on my pre-intel Macs, I went with TenFourFox. Then I switched to *ubuntu on an Intel (non Mac) machine that comes with FF, but that’s when I became interested in/aware of online privacy, and I happened to stumble across Brave. It works very well in conjunction with Merlin etc. And it’s easier than ever to install and configure. You should give it a test drive to see how it feel for you


Sent from my iPhone using Tapatalk

I've downloaded it but never used it. I have a lot of addons for firefox, also, that I have grown accustomed to, such as password managers, etc, that I wouldn't want to do without, but I know I could improve on the privacy issues, etc, on firefox. I am slow and resistant to change. But sometimes it is necessary. Some of them may be available in Brave.

 

[heysoundude]

I've downloaded it but never used it. I have a lot of addons for firefox, also, that I have grown accustomed to, such as password managers, etc, that I wouldn't want to do without, but I know I could improve on the privacy issues, etc, on firefox. I am slow and resistant to change. But sometimes it is necessary.

You may be pleasantly surprised to find that Brave has the password manager you use pre-installed for your convenience in switching.


Sent from my iPhone using Tapatalk

 

[dave14305]

I just checked my Firefox configuration and DoH was enabled. Again.
This is getting to be aggravating.
Is anyone else having this issue?
My "prevent auto client DoH" is set to auto. Should it be set to Yes maybe?

I am using Firefox 77.0.1 with automatic updates.

Auto will only do something if DNS Privacy or DNS Filter is enabled. Use Yes in case you aren't using either feature at the moment.

Despite this distasteful DoH move by Mozilla, I still prefer Firefox on the desktop.

 

[bbunge]

I am a bit concerned about the Firefox implementation of DoH. Recently I used a Pi-Hole for DNS with Asus router on stock firmware and noticed a bunch of blocked requests from a fresh install of a Ubuntu 20.04 PC. The Pi-Hole Malware list blocked the Firefox canary domain that enables DoH. Did not like that so I manually disabled the Firefox DoH via about:config. I've also noticed that the Firefox network.trr.resolvers use URL's ([{ "name": "Cloudflare", "url": "https://mozilla.cloudflare-dns.com/dns-query" },{ "name": "NextDNS", "url": "https://trr.dns.nextdns.io/" }]) and not IP addresses. This means that Firefox first has to resolve the network.trr.resolver via the "system" DNS process. Seems to me that this could set up flags for a hacker or spy to potentially defeat the DoH that Firefox is trying to use.
Sure seems better to me to use DoT/DNSSEC via my Asus router with Merlin.

 

[JT Strickland]

Auto will only do something if DNS Privacy or DNS Filter is enabled. Use Yes in case you aren't using either feature at the moment.

Despite this distasteful DoH move by Mozilla, I still prefer Firefox on the desktop.

Yes, sir, I have DoT for privacy enabled. Maybe I need to find out what to turn off in about:config if this is OK. Or go to Brave.